Tinc VPN

Although tinc is a mesh topology VPN without a server and a client endpoint, i.e. all endpoints are equal, for practical purposes my server is the one node where most other hosts connect to anyway, and where I do the configuration only once.

Requirements (on all endpoints)

The kernel must support 'tun', i.e. as root:

modprobe tun

In most cases this is not a problem, except on some virtual private servers (ex: VPS with OpenVZ), where it may require extra configurations.

Server configuration

Install tinc:

apt-get install tinc

Create the configuration for the network (set of nodes):

mkdir -p /etc/tinc/mynet/hosts

Note that "mynet" is the network name. You will probably want to choose another name. You can have multiple network names, as you can join multiple VPN netwroks with tinc.

The name (myserverhostname) should be set to the same hostname as your server (i.e. the output of the command 'hostname'). I guess it doesn't really need to, but keep it simple.

The subnet statement tells tinc what is routable through this node, although we will still have to set a static route on the client endpoint. Having a subnet of "::/0" is useful if you want to route all IPv6 trafic from the other client endpoint through this server (ex: working from an Internet café with a network that doesn't support IPv6 yet). In this case, 2607:f2c0:f00f:2900::/56 is my full network at home.

Create a host entry for the server node:

vim /etc/tinc/bidon/hosts/myserverhostname

Contents:

Address = myserverhostname.example.net

This is the address of your server node. You can use anything as long as it exists and points to your server. You could also use a static ipv4 address, if you have one (in my case, the 'A' DNS record for myserverhostname.example.net is a dynamic dns address).

In the above example, 2607:f2c0:f00f:2921::/64 is the subnet locally accessible from the client. You could also assign just a single /128 address. Also, in this case, I took a subnet from my main network segment from home, since my client node does not have its own IPv6 addresses. If it did already have a static IPv6 address, I would probably have used that instead (ex: if the 'client' was another server).

When the client connects to the server node, we want to setup routing too: